String solving with word equations and transducers: towards a logic for analysing mutation XSS-Reference-Cited by-同舟云学术

String solving with word equations and transducers: towards a logic for analysing mutation XSS

Published:2016-04-08 Issue:1 Volume:51 Page:123-136
ISSN:0362-1340
Container-title:ACM SIGPLAN Notices
language:en
Short-container-title:SIGPLAN Not.

Author:

Lin Anthony W.¹,Barceló Pablo²

Affiliation:

1. Yale-NUS College, Singapore

2. University of Chile, Chile

Abstract

We study the fundamental issue of decidability of satisfiability over string logics with concatenations and finite-state transducers as atomic operations. Although restricting to one type of operations yields decidability, little is known about the decidability of their combined theory, which is especially relevant when analysing security vulnerabilities of dynamic web pages in a more realistic browser model. On the one hand, word equations (string logic with concatenations) cannot precisely capture sanitisation functions (e.g. htmlescape) and implicit browser transductions (e.g. innerHTML mutations). On the other hand, transducers suffer from the reverse problem of being able to model sanitisation functions and browser transductions, but not string concatenations. Naively combining word equations and transducers easily leads to an undecidable logic. Our main contribution is to show that the "straight-line fragment" of the logic is decidable (complexity ranges from PSPACE to EXPSPACE). The fragment can express the program logics of straight-line string-manipulating programs with concatenations and transductions as atomic operations, which arise when performing bounded model checking or dynamic symbolic executions. We demonstrate that the logic can naturally express constraints required for analysing mutation XSS in web applications. Finally, the logic remains decidable in the presence of length, letter-counting, regular, indexOf, and disequality constraints.

Publisher

Association for Computing Machinery (ACM)

Subject

Computer Graphics and Computer-Aided Design,Software

Link

https://dl.acm.org/doi/pdf/10.1145/2914770.2837641

Reference76 articles.

1. BEK website (referred in Nov 2015). http://research. microsoft.com/en-us/projects/bek/. BEK website (referred in Nov 2015). http://research. microsoft.com/en-us/projects/bek/.

2. OWASP XSS cheat sheet (referred in Nov 2015). https: //www.owasp.org/index.php/XSS_(Cross_Site_Scripting) _Prevention_Cheat_Sheet. OWASP XSS cheat sheet (referred in Nov 2015). https: //www.owasp.org/index.php/XSS_(Cross_Site_Scripting) _Prevention_Cheat_Sheet.

3. SAT competition (referred in Nov 2015). http://www. satcompetition.org/. SAT competition (referred in Nov 2015). http://www. satcompetition.org/.

4. SMT competition (referred in Nov 2015). http://www.smtcomp. org/. SMT competition (referred in Nov 2015). http://www.smtcomp. org/.

5. Google Closure Library (referred in Nov 2015). https:// developers.google.com/closure/library/. Google Closure Library (referred in Nov 2015). https:// developers.google.com/closure/library/.

Cited by 39 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Twenty-two years since revealing cross-site scripting attacks: A systematic mapping and a comprehensive survey;Computer Science Review;2024-05

2. Parikh’s Theorem Made Symbolic;Proceedings of the ACM on Programming Languages;2024-01-05

3. A Closer Look at the Expressive Power of Logics Based on Word Equations;Theory of Computing Systems;2023-12-11

4. Solving String Constraints with Lengths by Stabilization;Proceedings of the ACM on Programming Languages;2023-10-16

5. A symbolic algorithm for the case-split rule in solving word constraints with extensions;Journal of Systems and Software;2023-07